Solved: Re: Splunk dashboard using drilldown showing detai... - Page 2

Luciana · ‎06-08-2021

Guys, I've created a dashboard where I hunt IOCs from OTX intelligence across several logs in Splunk.

This dashboard initially was created to show is some IOC was found, and once we click in the number (stats count command) , then the drilldown executes a second query giving us more information (|table command)

However, besides that, I want the dashboard send us an email in case the count >0 every time, then I used sendemail, however, I cant use the sendemail command where the stats count command is because I will receive an email only with the number 😞

so, I thought about using the sendemail in the second query, however, it only will send the email if one of us CLICK in the number , so, I was trying to find a way to turn the drilldown more automatic, which means, once the result >0, automatically the drilldown would be activated without clicking.

I am wonder if this is possible , or if there is other solution that I can use without giving up the design of the dashboard?

Below the dashboard source:

(pay attention to the lookup that I am doing for domain)

<label>_My company_IOC hits by OTX</label>

<description>(proxy, Firewalls, load balancers)</description>

<label>Time Range</label>

</default>

</input>

<label>Wildcard Search</label>

</input>

</fieldset>

<row>

<panel>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

<refreshType>delay</refreshType>

</search>

<option name="colorMode">block</option>

<option name="refresh.display">progressbar</option>

</drilldown>

</single>

</panel>

<panel>

<title>Hits by Domain/Hostname</title>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

<refreshType>delay</refreshType>

</search>

<option name="colorMode">block</option>

<option name="refresh.display">progressbar</option>

<set token="alert">index = XXX_XXX_My Tool_proxy_all_01 sourcetype=My Toolnss-web action=Allowed [|inputlookup OTX | search type=domain OR type=hostname | rename indicator as hostname | table hostname] |dedup user | table _time, hostname, domain, user, serverip, ClientIP |sendemail to="myaddress@mydomamin.com" server=smtp.server.co.nz subject="OTX - My Tool Notification - IOC found by Domain" message="This is an test message" sendresults=true inline=true format=csv</set>

</drilldown>

I really appreciate any help or idea. thanks Luciana

kamlesh_vaghela · ‎06-17-2021

@Luciana

By setting and unsetting token, you can trigger search to execute it.

Check below example, Here tkn_second_search is set when first search have some count. Please try this XML and let me know if any issue.

<dashboard>
  <label>Single Value Test</label>
  <search id="first_search">
    <query>index = xxx sourcetype=xxx action=Allowed [|inputlookup OTX | search type=URL | rename indicator as url | table url] |dedup user |stats count
    </query>
    <done>
      <condition match="'result.count'!= &quot;0&quot;">
        <set token="tkn_second_search">
index = xxx sourcetype=xxx action=Allowed [|inputlookup OTX | search type=domain OR type=hostname | rename indicator as hostname | table hostname]
|dedup user |table _time, hostname, domain, user, serverip, ClientIP |sendemail to="myemail.co.nz" server=smtp.server.co.nz subject="Notification - IOC found by url" message="This is an test message" sendresults=true inline=true format=csv
        </set>
      </condition>
      <condition>
        <unset token="tkn_second_search"></unset>
      </condition>
    </done>
  </search>
  <row>
    <panel>
      <html>
        Second Search Token = $tkn_second_search$
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>$tkn_second_search$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

My Sample XML:

<dashboard>
  <label>Dependent Search Example</label>
  <search id="first_search">
    <query>| makeresults | eval count=1 | table count</query>
    <done>
      <condition match="'result.count'!= &quot;0&quot;">
        <set token="tkn_second_search">| makeresults | eval msg="Hello"</set>
      </condition>
      <condition>
        <unset token="tkn_second_search"></unset>
      </condition>
    </done>
  </search>
  <row>
    <panel>
      <html>
        Second Search Token = $tkn_second_search$
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>$tkn_second_search$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela · ‎06-20-2021

Yes @Luciana

The reason!! My code on case of static values with No filters. But you can achieve this by adding below code on change of your filter,

        <unset token="tkn_second_search"></unset>

🙂

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Luciana · ‎06-20-2021

but, I am doing it: check below:

<search id="main_search1">
<query>index = my index sourcetype=my sourcetype action=Allowed [|inputlookup OTX | search type=URL | rename indicator as url | table url] |dedup user |stats count</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<refresh>3600s</refresh>
<done>
<condition match="'result.count'!= "0No event for this table"">
<set token="tkn_first_search">index = my index sourcetype= my sourcetype action=Allowed [|inputlookup OTX | search type=URL | rename indicator as url | table url] |dedup user | table _time, url, user, serverip, ClientIP |sendemail to="myemail@domain.co.nz" server=smtp.server.co.nz subject="OTX - Notification - IOC found by Domain" message="This is an test message" sendresults=true inline=true format=csv</set>
</condition>
<condition>
<unset token="tkn_first_search"></unset>
</condition>
</done>
</search>

kamlesh_vaghela · ‎06-20-2021

It should be with filters also..

Can you please share sample Filter code?

Luciana · ‎06-21-2021

@kamlesh_vaghela , this is the whole code for 2 searches (URL and Domain stats count and their respective panel that shows the second search ).

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

<done>

<set token="tkn_first_search"> index = xxx sourcetype=xxxx action=Allowed [|inputlookup OTX | search type=URL | rename indicator as url | table url] |dedup user | table _time, url, user, serverip, ClientIP |sendemail to="luciana.campos@Company.co.nz" server=smtp.Company.co.nz subject="OTX XXX Notification - IOC found by Domain" message="This is an test message" sendresults=true inline=true format=csv</set>

</condition>

</condition>

</done>

</search>

<option name="colorMode">block</option>

<option name="refresh.display">progressbar</option>

<option name="underLabel">Domainyrl</option>

</single>

</panel>

<panel>

<title>my title</title>

<title>Hits by Domain_Hostname</title>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

<done>

<set token="tkn_second_search"> index = xxx sourcetype=xxxx action=Allowed [|inputlookup OTX | search type=domain OR type=hostname | rename indicator as hostname | table hostname] |dedup user |table _time, hostname, domain, user, serverip, ClientIP |sendemail to="luciana.campos@Company.co.nz" server=smtp.Company.co.nz subject="OTX - XXX Notification - IOC found by Domain" message="This is an test message" sendresults=true inline=true format=csv</set>

</condition>

</condition>

</done>

</search>

<option name="colorMode">block</option>

<option name="refresh.display">progressbar</option>

<option name="underLabel">Domainyrl</option>

</single>

</panel>

<panel>

<title>Query 1</title>

<table>

<query>$tkn_first_search$</query>

</search>

<option name="percentagesRow">false</option>

<option name="refresh.display">progressbar</option>

<option name="rowNumbers">false</option>

<option name="totalsRow">false</option>

</table>

</panel>

</row>

<row>

<panel>

<title>Query2</title>

<table>

<query>$tkn_second_search$</query>

</search>

<option name="percentagesRow">false</option>

<option name="refresh.display">progressbar</option>

<option name="rowNumbers">false</option>

<option name="totalsRow">false</option>

</table>

</panel>

</row>

<row>

<panel>

kamlesh_vaghela · ‎06-21-2021

@Luciana

Can you please try this sample code? You should add unset token in on change of filter like time filter and any other filter.

<input type="time" token="time">
  <label></label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
  <change>
    <unset token="tkn_second_search"></unset>
    <unset token="tkn_first_search"></unset>
  </change>
</input>

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Splunk dashboard using drilldown showing detailed info, but also sending email alert for us if result > 0

lookup

stats

What’s New & Next in Splunk SOAR

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

September Community Champions: A Shoutout to Our Contributors!

Are you a member of the Splunk Community?

Splunk dashboard using drilldown showing detailed info, but also sending email alert for us if result > 0

lookup

stats

What’s New & Next in Splunk SOAR

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

September Community Champions: A Shoutout to Our Contributors!